The Update Framework (TUF)

Like the S in HTTPS, a plug-and-play library for securing a software updater

A Framework for Securing Software Update Systems

The Update Framework (TUF) helps developers to secure new or existing
software update systems, which are often found to be vulnerable to many
known attacks. TUF addresses this widespread problem by providing a
comprehensive, flexible security framework that developers can integrate
with any software update system. The framework can be easily integrated (or
implemented in the native programming languages of these update systems)
due to its concise, self-contained architecture and specification.
Developers have so far implemented the framework in the
Go,
Haskell,
Python,
Ruby,
and Rust programming languages.

What is a software update system?

Generally, a software update system is an application (or part of an
application) running on a client system that obtains and installs software.
This can include updates to software that is already installed or even
completely new software.

Three major classes of software update systems are:

Application updaters which are used by applications use to update themselves. For example, Firefox updates itself through its own application updater.

Library package managers such as those offered by many programming languages for installing additional libraries. These are systems such as Python’s pip/easy_install + PyPI, Perl’s CPAN, Ruby’s Gems, and PHP’s PEAR.

System package managers used by operating systems to update and install all of the software on a client system. Debian’s APT, Red Hat’s YUM, and openSUSE’s YaST are examples of these.

Our approach

There are literally thousands of different software update systems in
common use today. (In fact the average Windows user has about two dozen
different software updaters on their machine!)

We built a
specification
and library that can be
universally (and in most cases transparently) used to secure software
update systems.

News

October 24, 2017

The Cloud Native Computing Foundation announces at Open Source Summit
Europe that it was adding TUF as its 14th hosted project. Notary, Docker’s
implementation of TUF, was also added at that time.
https://www.cncf.io/announcement/2017/10/24/cncf-host-two-security-projects-notary-tuf-specification/

September 8, 2017

Cloudfare releases PAL, a container identity bootstrapping tool. It is open
source and uses Notary, Docker’s implementation of TUF. PAL “confirms that
a specific container hash maps to specific metadata like a container’s name
and label.”
https://blog.cloudflare.com/pal-a-container-identity-bootstrapping-tool/

July 5, 2017

TUF will be featured in DebConf17, an “annual conference for Debian contributors and
users interested in improving Debian.” The conference will take place in Montreal,
Canada, August 6 - 12, 2017.
https://debconf17.debconf.org/talks/153/

July 3, 2017

Dr. Trishank Karthik Kuppusamy defended his dissertation on TUF and
Uptane. Congratulations! Work on these
projects will continue as Sebastien, Vlad, Justin, and others move forward!

Riyaz Faizullabhoy from Docker gave a talk on TUF and Notary at LinuxCon North America. Slides of his talk are available here:
https://events.linuxfoundation.org/events/linuxcon-north-america/program/slides

The Update Framework now has a logo to call its own. Thanks is given to Maria Jose Barrera (https://twitter.com/joseemari) for creating the logo, and to Santiago Torres for making it happen.

February 18, 2016

The camera-ready version of “Diplomat: Using Delegations to Protect Community Repositories” was recently submitted to NSDI 2016. The paper is freely available here on our website.

August 12, 2015

In TUF adoption news… the Docker team announced Docker Content Trust, which integrates TUF via Notary. Docker Content Trust will be available starting with Docker 1.8, and supports image signing and verification. For more information on the Docker + TUF integration, please visit:
https://blog.docker.com/2015/08/content-trust-docker-1-8/

Acknowledgements

This material is based upon work supported by the National Science
Foundation under Grant No. CNS-1345049 and CNS-0959138. Any opinions,
findings, and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect the views of the
National Science Foundation.